(Make sure you have homebrew installed)
brew tap riboseinc/easy-rsa
brew install easy-rsa
$ easyrsa clean-all
WARNING!!!
You are about to remove the EASYRSA_PKI at: ~/pki/pki
and initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.
Confirm removal: yes
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: ~/pki/pki
$ easyrsa build-ca nopass
Generating a 2048 bit RSA private key
..........+++
.......................................................................+++
writing new private key to '~/pki/pki/private/ca.key.0000000000'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
~/pki/pki/ca.crt
$ easyrsa build-server-full server nopass
Generating a 2048 bit RSA private key
......................................................................................................................+++
.....................................................................................................................................................................................+++
writing new private key to '~/pki/pki/private/server.key.0000000000'
-----
Using configuration from /usr/local/opt/easy-rsa/share/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jul 17 15:55:31 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
$ easyrsa gen-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
<output>
$ easyrsa build-client-full client1 nopass
$ easyrsa build-client-full client2 nopass
$ easyrsa build-client-full client3 nopass
cd ~/pki
# Static Key
# (leave blank)
# Certificate Authority
cat ca.crt | pbcopy
# Server Certificate
cat issued/server.crt | pbcopy
# Server Key
cat private/server.key | pbcopy
# Diffie Hellman parameters
cat dh.pem | pbcopy